32489 – feMerge crahses if feMergeNodes attribute in is empty

Bug 32489 - feMerge crahses if feMergeNodes attribute in is empty

Summary: feMerge crahses if feMergeNodes attribute in is empty

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	525.x (Safari 3.1)
Hardware:	PC OS X 10.5

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	68469 26389
	Show dependency tree / graph

Reported:	2009-12-13 08:43 PST by Dirk Schulze
Modified:	2014-05-12 05:54 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
feMergeNode empty -- crash (643 bytes, image/svg+xml) 2009-12-13 08:43 PST, Dirk Schulze	no flags	Details
fix of feMerge (24.46 KB, patch) 2009-12-16 13:24 PST, Dirk Schulze	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Schulze 2009-12-13 08:43:43 PST

Created attachment 44757 [details]
feMergeNode empty -- crash

If one of the feMergeNodes attribute 'in' is empty and the related feMerge element is not the first effect of the filter, webkit crashes.

If the 'in' attribute is empty, SVGFilterBuilder::getElementById gives either one of the predefined SourceGraphics back or the last effect that was added.
This works if there is no last effect. The SourceGraphic is given back and no crash appears. We have a test for this: svg/custom/emty-merge.svg.

In the case of a lastEffect, getElementId also gives the right effect back. But WebKit crashes during WebCore::FilterEffect::calculateEffectRect in FEMerge. I don't have a debug build atm, but I guess that the reference to the last effect is bogus.

I attached an example. Everything works, if feOffset gets an result="" and the mergeNode adresses this result.

Comment 1 Dirk Schulze 2009-12-16 13:24:30 PST

Created attachment 45010 [details]
fix of feMerge

Take the reference of the effect not just the pointer. This fixes the crash.

Comment 2 Dirk Schulze 2009-12-16 13:25:03 PST

Comment on attachment 45010 [details]
fix of feMerge

sorry, wrong flag.

Comment 3 WebKit Review Bot 2009-12-16 13:29:33 PST

style-queue ran check-webkit-style on attachment 45010 [details] without any errors.

Comment 4 Nikolas Zimmermann 2009-12-16 13:45:41 PST

Comment on attachment 45010 [details]
fix of feMerge

LGTM, r=me.

Comment 5 WebKit Commit Bot 2009-12-16 13:57:02 PST

Comment on attachment 45010 [details]
fix of feMerge

Clearing flags on attachment: 45010

Committed r52219: <http://trac.webkit.org/changeset/52219>

Comment 6 WebKit Commit Bot 2009-12-16 13:57:06 PST

All reviewed patches have been landed.  Closing bug.